Category: Records Management

Equifax Ltd fined £500,000 for significant breaches of the DPA 1998

31dc574c-e8f4-4849-a8d4-46fe2f3ff80d

On 20th September the Information Commissioner issued Equifax Ltd with a £500, 000 monetary penalty, the biggest fine it has issued to date, and the maximum allowed under the Data Protection Act 1998.  Although half a million pounds might sound a significant amount of money, it represents a relatively modest amount compared to the fine the company might have received had the breech occurred 12 months late, under the GDPR regime.

In this blog we consider the incident, the actions of the parties and we speculate on what type of sanctions the company could have faced under the GDPR.

The background

Equifax Ltd is a major credit reference agency based in the UK.  Since 2011 it has offered a product called the Equifax Identity Verifier (EIV) which enables clients to verify the identity of their customers, online, over the telephone or in person. To verify an individual’s identity, the client enters that individual’s personal information on the Equifax system, which is then checked against other sources held by Equifax Ltd.  Initially the EIV was processed by its US parent, Equifax Inc.  Equifax Ltd in the UK was the data controller and Equifax Inc in the USA was the data processor.  In 2016, Equifax Ltd transferred the data processing for the EIV product to the UK. This required the migration of the personal data to the UK. However, the US company did not then delete all the UK personal data from its system, which its should have done as it had no lawful reason for continuing to store this data.

The cyber-attack incidents

Equifax Inc was subject to a number of cyber-attacks, between 13 May and 30 July 2017.  During this period the attackers exploited a vulnerability in the US company’s online consumer-facing disputes portal. This enabled the attackers to access personal data of about 146 million individuals in the USA. Additionally, they were able to access the name and date of birth of up to 15 million UK individuals, contained in the EIV dataset.  In addition, in respect of some 637,430 UK data subjects their telephone numbers and driving license numbers were also a compromised.

An additional data set (the GCS dataset) was also attacked and this allowed the hackers to access the email addresses of over 12,000 UK individuals. More significantly, for another 14,961 UK residents the compromised data was account information for Equifax’s credit services and included data subjects’ name, address, date of birth, user name, password (in plain text), secret question and answer (also in plain text), credit card number (obscured) and some payment amounts. This personal data was held in a plain text file, as opposed to the actual data base. The storage of password data in plain text was contrary to the company’s Cryptography Standard which specifically required that passwords were to be stored in encrypted, hashed, masked, tokenised or other form.  The file was held in a file share, which was accessible to multiple users.

In March 2017 Equifax Inc., received warning of the vulnerability of its Apache Struts 2 web application framework (that it used in its consumer facing online disputes portal). The warning came from the US Department of Homeland Security Computer Emergency Readiness Team which identified a critical level of vulnerability. The US company disseminated this warning to key personnel, but the consumer facing portable was neither identified or patched.

Equifax Inc. became aware of the cyber attack on 29 July 2017, and then further aware that the data of UK individuals had been compromised by late August 2017.  However, Equifax Inc failed to warn Equifax Ltd until late September 7th, 2017, at least a week after it became aware the UK personal data had been compromised.

Equifax Ltd notified the ICO on 8thSeptember. In this respect, its behaviour would have met the strict breach notification requirements of the GDPR which require a data controller to notify the Commissioner within 72 hours of become aware of the breach.  Initially they reported that about 1.49 million individuals’ data had been lost. This was later revised upwards to 15 million data subjects. They also indicated, incorrectly, that the data accessed did not include residential addresses or financial information.

The Information Commissioner’s Findings

On the facts, the Information Commissioner decided that although the information systems in the USA were compromised, Equifax Ltd was the data controller responsible for the personal data of its UK customers. The Commissioner found that Equifax had failed to take appropriate steps the ensure its US parent, and data processor, was protecting the information. The Monetary Penalty Notice lists the various contraventions of the DPA 1998:

  • Principles 5, 2 and 1
    • Following the migration of the EIV dataset from the US to the UK, it was no longer necessary for the US company to keep any of the data. The data set had not been deleted in full and was kept longer than necessary.
    • In relation to the GCS dataset stored on the US system, Equifax Ltd was not sufficiently aware of the purpose for which it was being processed until after the breach. In the absence of any lawful purpose the retention was unnecessary.
    • The UK company failed to follow up or check that the data had been removed from the US systems, or to have an adequate process in place to check this was done.
  • Principle 7
    • Equifax had not undertaken an adequate risk assessment (s) of the security arrangements put in place by its data processor before transferring the data to it or following the transfer.
    • The Data Processing Agreement between Equifax Ltd and Equifax Inc was inadequate and failed to provide appropriate safeguards/ security safeguards or the standard clauses.
    • Equifax Ltd had failed to ensure adequate security measures were in place. The Commissioner identified numerous examples of the inadequacy of the safeguard that were in place, including the lack of encryption; the use of plant text data, allowing multiple users to have access to plaintext files; failing to address IT vulnerabilities; having out of date software; failing to undertake sufficient and regular system scans
    • Poor communications between the UK and US companies particularly in relation to the US company’s delay in making the data controller aware of the breach.
  • Principle 8
    • The Data Processing Agreement between Equifax UK and Equifax Inc was inadequate in that it failed to incorporate the standard contractual clause as a separate agreement and/or to provide appropriate safeguards for data transfers outside the EEA.
    • There was therefore a lack of a legal basis for the international transfer of this data.

Overall the Information Commissioner found multiple failures at Equifax Ltd, which led to personal information being kept longer than necessary and vulnerable to unauthorised access. Given the nature of the breaches, individuals were exposed to the risk of financial and identity fraud. The Commissioner concluded that the maximum financial penalty it could levy was proportionate in all the circumstances.

What difference would it make if this happened under the GDPR?

If the same breaches had occurred post May 25th then both Equifax Ltd and Equifax Inc., might find themselves in a substantially different situation.

The level of fine: The most obvious difference would be in relation to the level of fine that the ICO could impose. Under Article 83 GDPR the ICO can impose a fine of up to £17 million (20m Euro) or 4% of global turnover. Equifax Ltd is part of a global group that operates or has investments in over 24 countries. According to its 2016 Annual Report the Equifax Group’s global annual revenue for 2016 was $3.144.9 billion. 4% of this is about $125 million. In 2016 the UK company, Equifax Ltd, recorded revenue of £114.6 million. This alone could lead to a fine of over £4.5 million.

Data Subjects’ rights to sue for damages: Although this is not a new right under the GDPR, the GDPR now expressly permits individuals to sue for both material (financial) and non-material damage, such as distress. In many respects this represents a bigger risk for companies such as Equifax who are processing data whose loss could cause significant harm to data subjects. Given the heightened awareness amongst the public of the GDPR, it is not difficult to anticipate that these type of high-volume breaches could result in class actions for compensation.

Breach Notification: Article 33 imposes a condition that data processors must notify data controllers ‘without undue delay’ if they become aware of a data breach. The delay on the part of the US company in informing the UK company would constitute a breach of Article 33.

Notifying Data Subjects: Under Article 34 GDPR the Data Controller has a duty to notify data subjects that their personal data has been breached, where the breach is likely to result in a high risk to their rights and freedoms.  Equifax Ltd issued a press releaseon 7thOctober 2017 saying that I would we will now begin writing to all impacted customers with immediate effect. This again does not meet the requirements of notification ‘without undue delay’.

We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now. New Dates added for London!

Need to train frontline staff quickly? Try our extremely popular GDPR e-learning course.

Dont forget about our GDPR Helpline, its a great tool to use for some advice when you really need it.

New IRMS Certificate in Information Governance

Page 1

 

Today, the Information and Records Management Society (IRMS) and Act Now Training launched the IRMS Foundation Certificate in Information Governance. This represents the first fully online certificated course covering data protection, freedom of information and records management.

In difficult economic times, traditional face-to-face learning is often the first activity to fall victim of budget cuts. However the area of Information Governance is currently the subject of rapid change. After four years of negotiation, the new EU General Data Protection Regulation (GDPR) has now been formally adopted by the European Parliament and will come into force on 25th May 2018.  The FOI Commission’s report, published in March, will lead to additional obligations for public authorities under the Freedom of Information Act. And the list goes on…

Employees and managers, both in the public and private sector, need timely and cost effective IG training.  The IRMS Foundation Certificate in Information Governance is the solution. This is an online certificated course designed for information management professionals who need to know about the basics of information rights and information management in their job role. It is an ideal starter qualification for those who wish to then progress to more advanced qualifications such as the as our Practitioner Certificate In Data Protection and the BCS FOI and DP Certificates.

Launched at the 2016 IRMS conference in Brighton, the IRMS Foundation Certificate in Information Governance is a fully online yet interactive course. There are four learning modules (Records Management, Security and Information Assurance, Data Protection and Freedom of Information). Using the latest web based technology, delegates will be able to learn from the comfort of their own desk by attending four live online webinars. In addition they will be able to tailor their learning through doing four recorded modules from a choice of six. Finally they will do a short online assessment to achieve the certificate endorsed by the excellent reputation of the IRMS.

Ibrahim Hasan, Director of Act Now Training, has developed the course with IRMS colleagues. He said:

“I am really pleased to have been involved with the development of this ground breaking new online qualification. I have used my experience in delivering Information Governance training for many years to help create a product which will hopefully meet a previously unmet demand amongst Information Management professionals.”

Meic Pierce Owen, the Chair of the IRMS said:

“I am genuinely proud to have overseen the development of this important qualification that offers all information professionals the opportunity to gain a solid grounding in contemporary Information Governance (IG). This qualification has relevance across all sectors and is equally valid for those looking to master the basics of contemporary IG as it is for those looking to progress to practitioner level study.

As a generalist practitioner who qualified from University just ahead of Data Protection, Freedom of Information and Information Security being covered in any detail on the courses, I am also delighted to put my money where my mouth is and be the first to sign up to study for this qualification- which I believe to be relevant to my CPD as well as being excellent value for money. I shall let you know how I get on…”

If you would like to know more about this exciting new course please visit us at the IRMS stand at the Brighton conference. See also our dedicated IRMS Certificate webpages or get in touch.

Be an Information Superhero and gain a Superhero Qualification!

 

 

@FOIManUK on Records management – Just Do It!

RM3At the 2012 Information and Records Management Society (IRMS) Conference, Northumbria University academic Julie McLeod asked the audience a simple question. She asked how many of those present worked for an organisation that had articulated a vision for electronic records management. Less than 10% of the audience raised their hands.

On first sight, that’s a pretty startling statistic. The IRMS is the main industry body for records managers. If anyone could be expected to have articulated a vision for electronic records management, it was the people in that room.

But the truth is, I’m not that surprised by Julie’s experience.

Firstly, I think it’s partly to do with what Julie asked. If she’d asked whether those present had a records management policy, I suspect a much bigger proportion would have put their hands up. And many records management policies probably include a statement saying how the organisation aspires to manage electronic records. That’s a vision – but those present probably didn’t think of it as such.

But what about those who just don’t have any statement? I suspect a lot of people in that room didn’t have anything – no policy, no strategy, no vision. And I think I know why.

The people responsible for records management in a lot of organisations are nervous of getting it wrong. And all the talk of visions, strategies and programmes isn’t helping. All the competing theories and evolving attitudes are hard to keep up with. 10 years ago, public bodies were being encouraged to adopt electronic document and records management systems. Now it’s rare to hear a success story about such systems, and hardly anyone thinks they’re a good idea. How do you come up with a vision for the future operation of your organisation when the future keeps changing?

What’s more, in most organisations, the person responsible for records management may be relatively junior. Often they will be someone who was drafted into the role; it might only be part of their job.

But it is important that records management is addressed. Any business needs to manage its information. Back at the start of my career I worked for a pharmaceutical company. Our records management unit ensured that they were able to prove that they discovered their marketed drugs first – some of those records were worth billions to the business.

And it is necessary for compliance with legislation. For example, if you look at many civil monetary penalties issued by the Information Commissioner’s Office, you will find that poor records management played a part.

And public authorities of course are subject to the Freedom of Information Act. Section 46 of the Act requires the Lord Chancellor to issue a Code of Practice on the management of records. The Code of Practice was written by the National Archives and sets out the features that they expect to see in public authorities’ records management.Whilst not a statutory requirement, the Information Commissioner is unlikely to look kindly on a public authority that fails to meet its FOI obligations due to records management failings. Indeed he has been known to issue a practice recommendation to an authority insisting that they improve their records management.

So organisations – especially public sector ones – need to do something about records management. But what?

We can start by using the Code of Practice as a guide. What do the experts at the National Archives think should be in place?

And we can stop letting “the best be the enemy of the good”. Julie McLeod’s straw poll, as well as the more detailed research she was reporting on at the conference showed that many organisations had done very little. What actually needs to happen is something. We should improve records management one step at a time. We must be pragmatic.

That’s what I’m going to attempt to do in my new course for Act Now Training on Records Management and the Section 46 Code of Practice. I’ll explain the different requirements of the Code and practical things you can do to meet them. That’s obvious. But I’ll also tell you not to panic. Don’t try to do it all at once. What are the key things you can do that will improve your records management almost overnight? You will leave with an action plan for your organisation – so you’ll instantly be ahead of 90% of those conference delegates I mentioned. The key words are “Just Do It.”

Paul Gibbons (aka FOIMan) blogs at http://www.foiman.com. He also delivers our Practical FOI course.